55044 - SAS® Web Infrastructure Platform applications (including SAS® Logon Manager) might be vulnerable to Cross-Site Request Forgery attacks

Problem Note 55044: SAS® Web Infrastructure Platform applications (including SAS® Logon Manager) might be vulnerable to Cross-Site Request Forgery attacks

SAS Web Infrastructure Platform applications, including SAS Logon Manager, might be vulnerable to Cross-Site Request Forgery (CSRF) attacks.

CVSS Score: 6.0

Click the Hot Fix tab in this note to access the hot fix for this issue.

Important Notes:

The application of this hot fix provides a filter for protection against CSRF in the SAS^® installation. The filter is disabled by default to allow you the opportunity to configure it before it is enabled, which avoids potential user impact upon enablement.

With this protection enabled, requests that do not originate from sites that belong to a whitelist are rejected. By default, the implications of this change are that the SAS installation is secure against browser-based CSRF attacks and applications that are external to the SAS installation cannot link to SAS web applications. If you link to a SAS application from a company intranet or a portal page that is not hosted in the SAS installation, you encounter access denied messages when you click those links.

There are many legitimate cases where it is necessary to link to SAS web applications. For such cases, you can add a site that contains a link to a SAS web application to the SAS CSRF whitelist, as follows:

Launch SAS^® Management Console.
Select Application Management ► Configuration Manager.
Open the properties for SAS Application Infrastructure.
On the Advanced tab, add a property named sas.web.csrf.referers.knownHosts and specify the value as a comma-delimited list of whitelisted sites. For example, to enable my-intranet.example.com and test.my-intranet.example.com to the whitelist, set the value to http://my-intranet.example.com/,http://test.my-intranet.example.com/.

Including a trailing slash at the end of each value is important because omitting the slash means that sites can use a prefix attack to bypass the protections. Be sure to include port numbers in the value if the whitelisted site uses ports other than the standard 80 or 443 for HTTP and HTTPS, respectively. You can also restrict a value to an application on the whitelisted site by including the application’s path in the value, for example, http://my-intranet.example.com/my-application-path/.

In addition to whitelisting sites, you can also whitelist certain HTTP methods. For example, you can choose to allow GET requests from any site. However, the implication of this ability is that SAS applications that use GET requests to invoke certain behavior are now susceptible to CSRF attacks. If you choose to whitelist certain methods, then you can set the sas.web.csrf.referers.skipMethods property in the advanced properties for the SAS Application Infrastructure. This value should be a comma-delimited list of HTTP methods (for example, GET,OPTIONS,TRACE) that are to be skipped.

To enable CSRF checking and enforcement, set the sas.web.csrf.referers.performCheck property to true in the advanced properties for SAS Application Infrastructure.

After changing any of the properties that are discussed above, you must restart the SAS^® Web Application Server in order for the changes to take effect.

As an option, you can choose to set CSRF properties on individual web applications in your SAS installation by using Configuration Manager. After you make any changes in Configuration Manager, you need to restart all of the web application servers in your SAS middle tier in order for the settings to take effect.

For more details about the CSRF software attack, see the Open Web Application Security Project's (OWASP) Cross-Site Request Forgery (CSRF) page.

Operating System and Release Information

Product Family	Product	System	Product Release		SAS Release
Product Family	Product	System	Reported	Fixed*	Reported	Fixed*
SAS System	SAS Web Infrastructure Platform	Solaris for x64	9.2_M1	9.4_M3	9.2 TS2M0	9.4 TS1M3
		Linux for x64	9.2_M1	9.4_M3	9.2 TS2M0	9.4 TS1M3
		HP-UX IPF	9.2_M1	9.4_M3	9.2 TS2M0	9.4 TS1M3
		64-bit Enabled Solaris	9.2_M1	9.4_M3	9.2 TS2M0	9.4 TS1M3
		64-bit Enabled HP-UX	9.2_M1	9.4_M3	9.2 TS2M0	9.4 TS1M3
		64-bit Enabled AIX	9.2_M1	9.4_M3	9.2 TS2M0	9.4 TS1M3
		Windows Vista for x64	9.2_M1		9.2 TS2M0
		Windows Vista	9.2_M1		9.2 TS2M0
		Microsoft Windows XP Professional	9.2_M1		9.2 TS2M0
		Microsoft Windows Server 2008 for x64	9.2_M1	9.4_M3	9.2 TS2M0	9.4 TS1M3
		Microsoft Windows Server 2008 R2	9.2_M1	9.4_M3	9.2 TS2M0	9.4 TS1M3
		Microsoft Windows Server 2003 for x64	9.2_M1		9.2 TS2M0
		Microsoft Windows Server 2003 Standard Edition	9.2_M1		9.2 TS2M0
		Microsoft Windows Server 2003 Enterprise Edition	9.2_M1		9.2 TS2M0
		Microsoft Windows Server 2003 Datacenter Edition	9.2_M1		9.2 TS2M0

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

Type:	Problem Note
Priority:	alert

Date Modified:	2015-05-06 12:08:28
Date Created:	2015-01-22 08:56:52

Support

Problem Note 55044: SAS® Web Infrastructure Platform applications (including SAS® Logon Manager) might be vulnerable to Cross-Site Request Forgery attacks

Operating System and Release Information